Privacy Policy
1. Purpose
The purpose of the Twin Marquis (“Twin Marquis”) Consumer Privacy Policy (“Policy”) is to provide personal data handling guidelines and notices as they relate to data sharing and usage within the organization in order to comply with applicable laws and regulations. Twin Marquis reserves the right to amend, alter and terminate this Policy at any time.
2. Scope
The Policy applies to all consumer Personally Identifiable Information (“PII”) collected, stored, shared, and disclosed by Twin Marquis.
3. Background
It is the responsibility of Twin Marquis to comply with all applicable laws and regulations; which may extend to Twin Marquis’ business partners, and to uphold Twin Marquis’ Core Values, Mission, and strategic plan by way of protecting and controlling the consumer data that we collect, process, and share. All officers, directors, employees, and contractors of Twin Marquis are required to understand their responsibilities and comply with this Policy. Therefore, any Twin Marquis business operation or practice that collects, processes, and shares consumer PII shall be managed consistent to this Policy.
4. Key Definitions
a. Personally Identifiable Information (PII): Collected data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household. Such information may include a person’s name, address, social security number, purchasing history, biometric information, internet activity such as online trackers and use of cookies, geolocation data, employment information, education information, and so on.
b. Data Processing Agreements (DPA): A legally binding document between the data controller and the processor in writing or electronic form, which includes the particularities of data processing, such as the scope, purpose, and terms and conditions.
c. Consumer Data Manager (CDM): The CDM is the Twin Marquis employee that manages the collection, processing, sharing, and disclosing of PII. As applicable to laws, regulations, and other obligations, the CDM also manages the process to receive and respond to consumer requests for access and information, data deletion, opting out, nondiscriminatory practices per the consumer’s right to exercise these actions. The CDM is also responsible for managing third-party business relationships when PII is shared, and executing the DPA.
d. Selling: Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, of PII by the business to another business or a third party for monetary or other valuable consideration.
e. Business Purpose: Twin Marquis’ operational purposes, or other notified purposes, provided that the use of PII shall be reasonably necessary and proportionate to achieve the operational purpose for which the PII was collected or processed or for another operational purpose that is compatible with the context in which the PII was collected.
f. Commercial Purpose: To advance commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
g. Data Controllers: Businesses that collects, determines the purpose, and manages PII. These businesses may also share information with Twin Marquis, such as social media platforms, and marketing firms.
h. Data Processors: Businesses that process information as a service for data controllers. This may include third party categories such as advertising networks, data analytic providers, government entities, operating systems and platforms, social networks, and consumer data resellers.
5. Statement of Policy
It is the policy of Twin Marquis:
a. To identify the CDM that is responsible for data collection standards and consent, handling consumer privacy inquiries, DPAs, data sharing and reporting, data deletion and opt-out, and data retention activities.
b. To mandate a Privacy Notice disclosure to the public, establish relevant procedures and practices which corresponds to this Policy, and to define the permitted sharing of PII to third parties.
c. To conduct annual review of this Policy and Privacy Notice, and assess conformity to meet applicable laws and regulations.
d. To manage data security and report data breaches or evidence of data breaches as described by applicable laws and regulations.
6. Collection of PII
a. Privacy Notice
i. The Privacy Notice shall be disclosed by Twin Marquis to the consumer at or before the collection of PII, using straightforward language, free of technical or legal jargon, and accessible for consumers with disabilities.
ii. When submitting a form online, consumers’ consent shall be obtained prior to such PII collection.
iii. The Privacy Notice is to be updated annually, and an announcement of changes to the Privacy Notice is to be provided to the consumer prior to collection of new data categories.
b. Website: Cookies Notice
i. A separate notice relating to online trackers, such as cookies is to be disclosed to the consumer prior to activation of the online trackers. The option to opt-out is to be provided as well.
ii. Consumers’ consent shall be obtained on Twin Marquis’ website(s) prior to the activation of cookies.
c. Offline Notice
i. Prior to collecting PII in-person, such as during marketing events, or at retail locations, a conspicuous link to; or the fully printed, Privacy Notice and terms shall be provided to obtain an acknowledgement signature. A mobile electronic form with the corresponding disclaimer and acknowledgement shall also be permitted.
d. PII from Other Sources
i. The Privacy Notice with an option to opt-out shall be provided to the consumer directly if the information received from another business is intended to be further shared or disclosed.
ii. PII purchased for consumer research shall be anonymized and/or deidentified as defined by applicable laws and regulations.
e. Age Restriction
i. Twin Marquis shall not seek to, nor knowingly collect, any PII from individuals under thirteen (13) years of age. PII that is inadvertently collected from a child under age thirteen (13) shall be deleted as quickly as possible and such action shall be documented. If a child under age 13 has provided Twin Marquis with PII, and if a parent or guardian of that child contacts Twin Marquis to have the information deleted, Twin Marquis shall complete the request.
7. Processing of PII
a. Data Use and Sharing
i. Use of a consumer’s PII for any purpose other than those disclosed in the corresponding Privacy Notice is prohibited, unless the consumer is directly notified of the new use, and provides explicit consent for the new use.
ii. Use of consumer PII to facilitate correspondences for commercial purposes via text messages on mobile devices shall be prohibited.
iii. Internal sharing of PII shall be restricted on a “need-to-know” basis, such as involving a business purpose, meeting regulatory obligations, or for data security.
b. Third Party Data Processors
i. Twin Marquis shall not sell consumer PII to third parties for their advertising purposes without obtaining the consumer’s consent, providing an initial choice to opt-out, and providing the third parties’ privacy policies.
c. California Consumer Privacy Act
i. For Californians who request to access information, opt out of, or delete their PII that has been collected or shared, a web-based form and toll-free number should be made available. Californians may request a report of their PII that is collected and shared from the preceding 12-month period, twice a year. The request is to be acknowledged with a response within ten (10) days, and a confirmation response shall be provided within forty-five (45) days to the consumer via a recorded correspondence.
ii. Twin Marquis shall not discriminate against consumers who exercise their privacy rights.
d. Consumer Requests and Verification
i. Consumer requests to access information, or to exercise their rights, shall be verified by matching the identifying information to a reasonably degree of certainty when requesting categories of information collected. A verification for opt-out requests is not required.
1. A toll-free number and an online request form shall be provided on the accompanying Policy Notice on all websites that collect PII.
2. Offline requests shall include a paper or electronic privacy notice, and means of consent, such as an acknowledgement and signature from the consumer.
ii. If the consumer uses an authorized agent to inquire/request, Twin Marquis may request written permission from the consumer and/or verify their own identity directly with the business. Otherwise, the inquiry may be rejected.
iii. Under no circumstances shall the following consumer PII be disclosed to the requester: social security number, driver’s license number, state identification number, medical and health information, financial account number, account passwords, or security questions and answers. Furthermore, these articles of information shall not be requested for the purpose of verification, unless absolutely necessary.
iv. If no reasonable method of verifying the identity of the consumer exists, then the consumer shall be notified of the determination that the request cannot be completed.
e. Data Retention and Deletion
i. An opt-out option shall be provided on the Twin Marquis website’s Privacy Notice, and digital correspondences to the consumer (such as via email).
ii. Consumer PII shall be retained only as necessary to facilitate the business purpose, or under legal obligations.
iii. The consumer request to delete their PII shall be clearly communicated by the consumer, followed by a second confirmation. Acknowledgment of the request shall be provided to the consumer within ten (10) days, and confirmation of the deletion shall be provided within forty-five (45) days to the consumer. Data shall be deleted in accordance to Twin Marquis’ Record Retention Policy, and the record of the request and deletion shall be retained for legal purposes. The CDM is to manage the PII deletion process and confirmation with third parties, following the consumer’s request to delete.
8. Data Security and Breach Management
a. Precaution and data security best practices are to be applied when collecting, and handling, and encrypting PII where possible. However, a Data Breach Plan to include a Crisis Management Team shall be developed to prepare in the event of, or suspicion of a data breach.
9. Training
a. The CDM and all individuals responsible under this Policy are to have adequate training to meet applicable laws and regulations.
10. Compliance
a. Failure to follow the Policy can result in possible civil and criminal sanctions against Twin Marquis and its officers, directors, and employees, and possible disciplinary action against responsible individuals, up to and including termination of employment.
11. Forms and Templates
a. The website contact form may be accessed via twinmarquisdev.flywheelsites.com
12. Internal References
a. TM Privacy Notice, available via twinmarquisdev.flywheelsites.com
b. TM Cookies Notice, available via twinmarquisdev.flywheelsites.com
13. External References
a. https://oag.ca.gov/privacy/ccpa
b. https://oag.ca.gov/privacy/databreach/reporting